LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2007-0998 CVE STATUS: Ignored CVE DETAIL: not-applicable-config CVE DESCRIPTION: The VNC server can expose host files uder some circumstances. We don't enable it by default. CVE SUMMARY: The VNC server implementation in QEMU, as used by Xen and possibly other environments, allows local users of a guest operating system to read arbitrary files on the host operating system via unspecified vectors related to QEMU monitor mode, as demonstrated by mapping files to a CDROM device. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-0998 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2007-1320 CVE STATUS: Patched CVE SUMMARY: Multiple heap-based buffer overflows in the cirrus_invalidate_region function in the Cirrus VGA extension in QEMU 0.8.2, as used in Xen and possibly other products, might allow local users to execute arbitrary code via unspecified vectors related to "attempting to mark non-existent regions as dirty," aka the "bitblt" heap overflow. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1320 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2007-1321 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the NE2000 emulator in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to trigger a heap-based buffer overflow via certain register values that bypass sanity checks, aka QEMU NE2000 "receive" integer signedness error. NOTE: this identifier was inadvertently used by some sources to cover multiple issues that were labeled "NE2000 network driver and the socket code," but separate identifiers have been created for the individual vulnerabilities since there are sometimes different fixes; see CVE-2007-5729 and CVE-2007-5730. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1321 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2007-1322 CVE STATUS: Patched CVE SUMMARY: QEMU 0.8.2 allows local users to halt a virtual machine by executing the icebp instruction. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1322 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2007-1366 CVE STATUS: Patched CVE SUMMARY: QEMU 0.8.2 allows local users to crash a virtual machine via the divisor operand to the aam instruction, as demonstrated by "aam 0x0," which triggers a divide-by-zero error. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-1366 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2007-5729 CVE STATUS: Patched CVE SUMMARY: The NE2000 emulator in QEMU 0.8.2 allows local users to execute arbitrary code by writing Ethernet frames with a size larger than the MTU to the EN0_TCNT register, which triggers a heap-based buffer overflow in the slirp library, aka NE2000 "mtu" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the mtu overflow vulnerability. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5729 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2007-5730 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in QEMU 0.8.2, as used in Xen and possibly other products, allows local users to execute arbitrary code via crafted data in the "net socket listen" option, aka QEMU "net socket" heap overflow. NOTE: some sources have used CVE-2007-1321 to refer to this issue as part of "NE2000 network driver and the socket code," but this is the correct identifier for the individual net socket listen vulnerability. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-5730 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2007-6227 CVE STATUS: Patched CVE SUMMARY: QEMU 0.9.0 allows local users of a Windows XP SP2 guest operating system to overwrite the TranslationBlock (code_gen_buffer) buffer, and probably have unspecified other impacts related to an "overflow," via certain Windows executable programs, as demonstrated by qemu-dos.com. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2007-6227 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2008-0928 CVE STATUS: Patched CVE SUMMARY: Qemu 0.9.1 and earlier does not perform range checks for block device read or write requests, which allows guest host users with root privileges to access arbitrary memory and escape the virtual machine. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-0928 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2008-1945 CVE STATUS: Patched CVE SUMMARY: QEMU 0.9.0 does not properly handle changes to removable media, which allows guest OS users to read arbitrary files on the host OS by using the diskformat: parameter in the -usbdevice option to modify the disk-image header to identify a different format, a related issue to CVE-2008-2004. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-1945 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2008-2004 CVE STATUS: Patched CVE SUMMARY: The drive_init function in QEMU 0.9.1 determines the format of a raw disk image based on the header, which allows local guest users to read arbitrary files on the host by modifying the header to identify a different format, which is used when the guest is restarted. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2004 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2008-2382 CVE STATUS: Patched CVE SUMMARY: The protocol_client_msg function in vnc.c in the VNC server in (1) Qemu 0.9.1 and earlier and (2) KVM kvm-79 and earlier allows remote attackers to cause a denial of service (infinite loop) via a certain message. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-2382 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2008-4539 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the Cirrus VGA implementation in (1) KVM before kvm-82 and (2) QEMU on Debian GNU/Linux and Ubuntu might allow local users to gain privileges by using the VNC console for a connection, aka the LGD-54XX "bitblt" heap overflow. NOTE: this issue exists because of an incorrect fix for CVE-2007-1320. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4539 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2008-4553 CVE STATUS: Patched CVE SUMMARY: qemu-make-debian-root in qemu 0.9.1-5 on Debian GNU/Linux allows local users to overwrite arbitrary files via a symlink attack on temporary files and directories. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-4553 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2008-5714 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in monitor.c in Qemu 0.9.1 might make it easier for remote attackers to guess the VNC password, which is limited to seven characters where eight was intended. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2008-5714 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2009-3616 CVE STATUS: Patched CVE SUMMARY: Multiple use-after-free vulnerabilities in vnc.c in the VNC server in QEMU 0.10.6 and earlier might allow guest OS users to execute arbitrary code on the host OS by establishing a connection from a VNC client and then (1) disconnecting during data transfer, (2) sending a message using incorrect integer data types, or (3) using the Fuzzy Screen Mode protocol, related to double free vulnerabilities. CVSS v2 BASE SCORE: 8.5 CVSS v3 BASE SCORE: 9.9 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2009-3616 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2010-0297 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2010-0297 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2011-0011 CVE STATUS: Patched CVE SUMMARY: qemu-kvm before 0.11.0 disables VNC authentication when the password is cleared, which allows remote attackers to bypass authentication and establish VNC sessions. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:H/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-0011 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2011-1750 CVE STATUS: Patched CVE SUMMARY: Multiple heap-based buffer overflows in the virtio-blk driver (hw/virtio-blk.c) in qemu-kvm 0.14.0 allow local guest users to cause a denial of service (guest crash) and possibly gain privileges via a (1) write request to the virtio_blk_handle_write function or (2) read request to the virtio_blk_handle_read function that is not properly aligned. CVSS v2 BASE SCORE: 7.4 CVSS v3 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1750 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2011-1751 CVE STATUS: Patched CVE SUMMARY: The pciej_write function in hw/acpi_piix4.c in the PIIX4 Power Management emulation in qemu-kvm does not check if a device is hotpluggable before unplugging the PCI-ISA bridge, which allows privileged guest users to cause a denial of service (guest crash) and possibly execute arbitrary code by sending a crafted value to the 0xae08 (PCI_EJ_BASE) I/O port, which leads to a use-after-free related to "active qemu timers." CVSS v2 BASE SCORE: 7.4 CVSS v3 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-1751 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2011-2212 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the virtio subsystem in qemu-kvm 0.14.0 and earlier allows privileged guest users to cause a denial of service (guest crash) or gain privileges via a crafted indirect descriptor related to "virtqueue in and out requests." CVSS v2 BASE SCORE: 7.4 CVSS v3 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2212 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2011-2527 CVE STATUS: Patched CVE SUMMARY: The change_process_uid function in os-posix.c in Qemu 0.14.0 and earlier does not properly drop group privileges when the -runas option is used, which allows local guest users to access restricted files on the host. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-2527 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2011-3346 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in hw/scsi-disk.c in the SCSI subsystem in QEMU before 0.15.2, as used by Xen, might allow local guest users with permission to access the CD-ROM to cause a denial of service (guest crash) via a crafted SAI READ CAPACITY SCSI command. NOTE: this is only a vulnerability when root has manually modified certain permissions or ACLs. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:H/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-3346 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2011-4111 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the ccid_card_vscard_handle_message function in hw/ccid-card-passthru.c in QEMU before 0.15.2 and 1.x before 1.0-rc4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted VSC_ATR message. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:H/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2011-4111 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2012-2652 CVE STATUS: Patched CVE SUMMARY: The bdrv_open function in Qemu 1.0 does not properly handle the failure of the mkstemp function, when in snapshot node, which allows local users to overwrite or read arbitrary files via a symlink attack on an unspecified temporary file. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-2652 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2012-3515 CVE STATUS: Patched CVE SUMMARY: Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space." CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-3515 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2012-6075 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the e1000_receive function in the e1000 device driver (hw/e1000.c) in QEMU 1.3.0-rc2 and other versions, when the SBP and LPE flags are disabled, allows remote attackers to cause a denial of service (guest OS crash) and possibly execute arbitrary guest code via a large packet. CVSS v2 BASE SCORE: 9.3 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2012-6075 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-2007 CVE STATUS: Patched CVE SUMMARY: The qemu guest agent in Qemu 1.4.1 and earlier, as used by Xen, when started in daemon mode, uses weak permissions for certain files, which allows local users to read and write to these files. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2007 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-2016 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the way qemu v1.3.0 and later (virtio-rng) validates addresses when guest accesses the config space of a virtio device. If the virtio device has zero/small sized config space, such as virtio-rng, a privileged guest user could use this flaw to access the matching host's qemu address space and thus increase their privileges on the host. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-2016 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4148 CVE STATUS: Patched CVE SUMMARY: Integer signedness error in the virtio_net_load function in hw/net/virtio-net.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers a buffer overflow. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4148 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4149 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in virtio_net_load function in net/virtio-net.c in QEMU 1.3.0 through 1.7.x before 1.7.2 might allow remote attackers to execute arbitrary code via a large MAC table. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4149 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4150 CVE STATUS: Patched CVE SUMMARY: The virtio_net_load function in hw/net/virtio-net.c in QEMU 1.5.0 through 1.7.x before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors in which the value of curr_queues is greater than max_queues, which triggers an out-of-bounds write. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4150 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4151 CVE STATUS: Patched CVE SUMMARY: The virtio_load function in virtio/virtio.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds write. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4151 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4344 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the SCSI implementation in QEMU, as used in Xen, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4344 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4375 CVE STATUS: Patched CVE SUMMARY: The qdisk PV disk backend in qemu-xen in Xen 4.2.x and 4.3.x before 4.3.1, and qemu 1.1 and other versions, allows local HVM guests to cause a denial of service (domain grant reference consumption) via unspecified vectors. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4375 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4377 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the virtio-pci implementation in Qemu 1.4.0 through 1.6.0 allows local users to cause a denial of service (daemon crash) by "hot-unplugging" a virtio device. CVSS v2 BASE SCORE: 2.3 CVSS v3 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4377 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4526 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via vectors related to migrating ports. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4526 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4527 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in hw/timer/hpet.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via vectors related to the number of timers. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4527 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4529 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in hw/pci/pcie_aer.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4529 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4530 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4530 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4531 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in target-arm/machine.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a negative value in cpreg_vmstate_array_len in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4531 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4532 CVE STATUS: Patched CVE SUMMARY: Qemu 1.1.2+dfsg to 2.1+dfsg suffers from a buffer overrun which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4532 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4533 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4533 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4534 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in hw/intc/openpic.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4534 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4535 CVE STATUS: Patched CVE SUMMARY: The virtqueue_map_sg function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary files via a crafted savevm image, related to virtio-block or virtio-serial read. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4535 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4536 CVE STATUS: Patched CVE SUMMARY: An user able to alter the savevm data (either on the disk or over the wire during migration) could use this flaw to to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4536 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4537 CVE STATUS: Patched CVE SUMMARY: The ssi_sd_transfer function in hw/sd/ssi-sd.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted arglen value in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4537 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4538 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c in QEMU before 1.7.2 allow remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4538 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4539 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4539 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4540 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4540 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4541 CVE STATUS: Patched CVE SUMMARY: The usb_device_post_load function in hw/usb/bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, related to a negative setup_len or setup_index value. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4541 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4542 CVE STATUS: Patched CVE SUMMARY: The virtio_scsi_load_request function in hw/scsi/scsi-bus.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds array access. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4542 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-4544 CVE STATUS: Patched CVE SUMMARY: hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these details are obtained from third party information. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-4544 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2013-6399 CVE STATUS: Patched CVE SUMMARY: Array index error in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2013-6399 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-0142 CVE STATUS: Patched CVE SUMMARY: QEMU, possibly before 2.0.0, allows local users to cause a denial of service (divide-by-zero error and crash) via a zero value in the (1) tracks field to the seek_to_sector function in block/parallels.c or (2) extent_size field in the bochs function in block/bochs.c. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0142 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-0143 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the block drivers in QEMU, possibly before 2.0.0, allow local users to cause a denial of service (crash) via a crafted catalog size in (1) the parallels_open function in block/parallels.c or (2) bochs_open function in bochs.c, a large L1 table in the (3) qcow2_snapshot_load_tmp in qcow2-snapshot.c or (4) qcow2_grow_l1_table function in qcow2-cluster.c, (5) a large request in the bdrv_check_byte_request function in block.c and other block drivers, (6) crafted cluster indexes in the get_refcount function in qcow2-refcount.c, or (7) a large number of blocks in the cloop_open function in cloop.c, which trigger buffer overflows, memory corruption, large memory allocations and out-of-bounds read and writes. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0143 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-0144 CVE STATUS: Patched CVE SUMMARY: QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input validations which could allow a remote user to execute arbitrary code on the host with the privileges of the QEMU process. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.6 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0144 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-0145 CVE STATUS: Patched CVE SUMMARY: Multiple buffer overflows in QEMU before 1.7.2 and 2.x before 2.0.0, allow local users to cause a denial of service (crash) or possibly execute arbitrary code via a large (1) L1 table in the qcow2_snapshot_load_tmp in the QCOW 2 block driver (block/qcow2-snapshot.c) or (2) uncompressed chunk, (3) chunk length, or (4) number of sectors in the DMG block driver (block/dmg.c). CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0145 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-0146 CVE STATUS: Patched CVE SUMMARY: The qcow2_open function in the (block/qcow2.c) in QEMU before 1.7.2 and 2.x before 2.0.0 allows local users to cause a denial of service (NULL pointer dereference) via a crafted image which causes an error, related to the initialization of the snapshot_offset and nb_snapshots fields. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0146 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-0147 CVE STATUS: Patched CVE SUMMARY: Qemu before 1.6.2 block diver for the various disk image formats used by Bochs and for the QCOW version 2 format, are vulnerable to a possible crash caused by signed data types or a logic error while creating QCOW2 snapshots, which leads to incorrectly calling update_refcount() routine. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.2 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0147 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-0148 CVE STATUS: Patched CVE SUMMARY: Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_sector_size variables. These are used to derive other fields like 'sectors_per_block' etc. A user able to alter the Qemu disk image could ise this flaw to crash the Qemu instance resulting in DoS. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0148 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-0150 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the virtio_net_handle_mac function in hw/net/virtio-net.c in QEMU 2.0 and earlier allows local guest users to execute arbitrary code via a MAC addresses table update request, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0150 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-0182 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted config length in a savevm image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0182 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-0222 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0222 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-0223 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-0223 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-2894 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-2894 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-3461 CVE STATUS: Patched CVE SUMMARY: hw/usb/bus.c in QEMU 1.6.2 allows remote attackers to execute arbitrary code via crafted savevm data, which triggers a heap-based buffer overflow, related to "USB post load checks." CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3461 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-3471 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in hw/pci/pcie.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU instance crash) via hotplug and hotunplug operations of Virtio block devices. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3471 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-3615 CVE STATUS: Patched CVE SUMMARY: The VGA emulator in QEMU allows local guest users to read host memory by setting the display to a high resolution. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3615 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-3640 CVE STATUS: Patched CVE SUMMARY: The sosendto function in slirp/udp.c in QEMU before 2.1.2 allows local users to cause a denial of service (NULL pointer dereference) by sending a udp packet with a value of 0 in the source port and address, which triggers access of an uninitialized socket. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3640 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-3689 CVE STATUS: Patched CVE SUMMARY: The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-3689 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-5263 CVE STATUS: Patched CVE SUMMARY: vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the list with the VMSTATE_END_OF_LIST macro, which allows attackers to cause a denial of service (out-of-bounds access, infinite loop, and memory corruption) and possibly gain privileges via unspecified vectors. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5263 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-5388 CVE STATUS: Patched CVE SUMMARY: Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allows local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-5388 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-7815 CVE STATUS: Patched CVE SUMMARY: The set_pixel_format function in ui/vnc.c in QEMU allows remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7815 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-7840 CVE STATUS: Patched CVE SUMMARY: The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allows remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-7840 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-8106 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-8106 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2014-9718 CVE STATUS: Patched CVE SUMMARY: The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality in QEMU 1.0 through 2.1.3 have multiple interpretations of a function's return value, which allows guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2014-9718 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-1779 CVE STATUS: Patched CVE SUMMARY: The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 8.6 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-1779 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-3209 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3209 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-3214 CVE STATUS: Patched CVE SUMMARY: The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3214 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-3456 CVE STATUS: Patched CVE SUMMARY: The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM. CVSS v2 BASE SCORE: 7.7 CVSS v3 BASE SCORE: 0.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-3456 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-4037 CVE STATUS: Patched CVE SUMMARY: The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4037 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-4106 CVE STATUS: Patched CVE SUMMARY: QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-4106 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-5154 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5154 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-5158 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in hw/scsi/scsi-bus.c in QEMU, when built with SCSI-device emulation support, allows guest OS users with CAP_SYS_RAWIO permissions to cause a denial of service (instance crash) via an invalid opcode in a SCSI command descriptor block. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5158 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-5225 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the vnc_refresh_server_surface function in the VNC display driver in QEMU before 2.4.0.1 allows guest users to cause a denial of service (heap memory corruption and process crash) or possibly execute arbitrary code on the host via unspecified vectors, related to refreshing the server display surface. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5225 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-5239 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5239 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-5278 CVE STATUS: Patched CVE SUMMARY: The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5278 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-5279 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 0.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5279 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-5745 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-5745 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-6815 CVE STATUS: Patched CVE SUMMARY: The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 3.5 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6815 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-6855 CVE STATUS: Patched CVE SUMMARY: hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-6855 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-7295 CVE STATUS: Patched CVE SUMMARY: hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 0.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7295 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-7504 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7504 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-7512 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 9.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7512 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-7549 CVE STATUS: Patched CVE SUMMARY: The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-7549 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-8345 CVE STATUS: Patched CVE SUMMARY: The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a denial of service (application crash and infinite loop) via vectors involving the command block list. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8345 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-8504 CVE STATUS: Patched CVE SUMMARY: Qemu, when built with VNC display driver support, allows remote attackers to cause a denial of service (arithmetic exception and application crash) via crafted SetPixelFormat messages from a client. CVSS v2 BASE SCORE: 3.5 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8504 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-8556 CVE STATUS: Patched CVE SUMMARY: Local privilege escalation vulnerability in the Gentoo QEMU package before 2.5.0-r1. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 10.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8556 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-8558 CVE STATUS: Patched CVE SUMMARY: The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8558 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-8567 CVE STATUS: Patched CVE SUMMARY: Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption). CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 7.7 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8567 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-8568 CVE STATUS: Patched CVE SUMMARY: Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8568 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-8613 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in the megasas_ctrl_get_info function in QEMU, when built with SCSI MegaRAID SAS HBA emulation support, allows local guest users to cause a denial of service (QEMU instance crash) via a crafted SCSI controller CTRL_GET_INFO command. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8613 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-8619 CVE STATUS: Patched CVE SUMMARY: The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8619 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-8666 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 7.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8666 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-8701 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the Rocker switch emulation support is vulnerable to an off-by-one error. It happens while processing transmit (tx) descriptors in 'tx_consume' routine, if a descriptor was to have more than allowed (ROCKER_TX_FRAGS_MAX=16) fragments. A privileged user inside guest could use this flaw to cause memory leakage on the host or crash the QEMU process instance resulting in DoS issue. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8701 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-8743 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the NE2000 device emulation support is vulnerable to an OOB r/w access issue. It could occur while performing 'ioport' r/w operations. A privileged (CAP_SYS_RAWIO) user/process could use this flaw to leak or corrupt QEMU memory bytes. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 7.1 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8743 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-8744 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It occurs when a guest sends a Layer-2 packet smaller than 22 bytes. A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8744 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-8745 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with a VMWARE VMXNET3 paravirtual NIC emulator support is vulnerable to crash issue. It could occur while reading Interrupt Mask Registers (IMR). A privileged (CAP_SYS_RAWIO) guest user could use this flaw to crash the QEMU process instance resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8745 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-8817 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built to use 'address_space_translate' to map an address to a MemoryRegionSection is vulnerable to an OOB r/w access issue. It could occur while doing pci_dma_read/write calls. Affects QEMU versions >= 1.6.0 and <= 2.3.1. A privileged user inside guest could use this flaw to crash the guest instance resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8817 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2015-8818 CVE STATUS: Patched CVE SUMMARY: The cpu_physical_memory_write_rom_internal function in exec.c in QEMU (aka Quick Emulator) does not properly skip MMIO regions, which allows local privileged guest users to cause a denial of service (guest crash) via unspecified vectors. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2015-8818 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-10028 CVE STATUS: Patched CVE SUMMARY: The virgl_cmd_get_capset function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a VIRTIO_GPU_CMD_GET_CAPSET command with a maximum capabilities size with a value of 0. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10028 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-10029 CVE STATUS: Patched CVE SUMMARY: The virtio_gpu_set_scanout function in QEMU (aka Quick Emulator) built with Virtio GPU Device emulator support allows local guest OS users to cause a denial of service (out-of-bounds read and process crash) via a scanout id in a VIRTIO_GPU_CMD_SET_SCANOUT command larger than num_scanouts. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10029 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-10155 CVE STATUS: Patched CVE SUMMARY: Memory leak in hw/watchdog/wdt_i6300esb.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-10155 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-1568 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 8.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1568 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-1714 CVE STATUS: Patched CVE SUMMARY: The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access and process crash) or possibly execute arbitrary code via an invalid current entry value in a firmware configuration. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 8.1 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1714 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-1922 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the TPR optimization for 32-bit Windows guests support is vulnerable to a null pointer dereference flaw. It occurs while doing I/O port write operations via hmp interface. In that, 'current_cpu' remains null, which leads to the null pointer dereference. A user or process could use this flaw to crash the QEMU instance, resulting in DoS issue. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1922 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-1981 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head (TDH/RDH) is set outside the allocated descriptor buffer. A privileged user inside guest could use this flaw to crash the QEMU instance resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-1981 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-2197 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with an IDE AHCI emulation support is vulnerable to a null pointer dereference flaw. It occurs while unmapping the Frame Information Structure (FIS) and Command List Block (CLB) entries. A privileged user inside guest could use this flaw to crash the QEMU process instance resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2197 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-2198 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this flaw to crash the QEMU process instance resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2198 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-2391 CVE STATUS: Patched CVE SUMMARY: The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2391 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-2392 CVE STATUS: Patched CVE SUMMARY: The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 does not properly validate USB configuration descriptor objects, which allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2392 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-2538 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 7.1 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2538 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-2841 CVE STATUS: Patched CVE SUMMARY: The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via crafted values for the PSTART and PSTOP registers, involving ring buffer control. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2841 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-2857 CVE STATUS: Patched CVE SUMMARY: The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 8.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2857 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-2858 CVE STATUS: Patched CVE SUMMARY: QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-2858 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-3710 CVE STATUS: Patched CVE SUMMARY: The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3710 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-3712 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the VGA module in QEMU allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) by editing VGA registers in VBE mode. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-3712 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-4001 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet. CVSS v2 BASE SCORE: 4.3 CVSS v3 BASE SCORE: 8.6 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4001 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-4002 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4002 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-4020 CVE STATUS: Patched CVE SUMMARY: The patch_instruction function in hw/i386/kvmvapic.c in QEMU does not initialize the imm32 variable, which allows local guest OS administrators to obtain sensitive information from host stack memory by accessing the Task Priority Register (TPR). CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4020 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-4037 CVE STATUS: Patched CVE SUMMARY: The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4037 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-4439 CVE STATUS: Patched CVE SUMMARY: The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.7 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4439 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-4441 CVE STATUS: Patched CVE SUMMARY: The get_cmd function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check DMA length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via unspecified vectors, involving an SCSI command. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4441 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-4453 CVE STATUS: Patched CVE SUMMARY: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4453 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-4454 CVE STATUS: Patched CVE SUMMARY: The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4454 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-4952 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator), when built with VMWARE PVSCSI paravirtual SCSI bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds array access) via vectors related to the (1) PVSCSI_CMD_SETUP_RINGS or (2) PVSCSI_CMD_SETUP_MSG_RING SCSI command. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4952 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-4964 CVE STATUS: Patched CVE SUMMARY: The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4964 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-5105 CVE STATUS: Patched CVE SUMMARY: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, uses an uninitialized variable, which allows local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5105 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-5106 CVE STATUS: Patched CVE SUMMARY: The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5106 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-5107 CVE STATUS: Patched CVE SUMMARY: The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5107 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-5126 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5126 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-5238 CVE STATUS: Patched CVE SUMMARY: The get_cmd function in hw/scsi/esp.c in QEMU might allow local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5238 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-5337 CVE STATUS: Patched CVE SUMMARY: The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allows local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5337 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-5338 CVE STATUS: Patched CVE SUMMARY: The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allow local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5338 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-5403 CVE STATUS: Patched CVE SUMMARY: The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-5403 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-6351 CVE STATUS: Patched CVE SUMMARY: The esp_do_dma function in hw/scsi/esp.c in QEMU (aka Quick Emulator), when built with ESP/NCR53C9x controller emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the QEMU host via vectors involving DMA read into ESP command buffer. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 6.7 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6351 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-6490 CVE STATUS: Patched CVE SUMMARY: The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the descriptor buffer. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6490 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-6833 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device is active. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6833 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-6834 CVE STATUS: Patched CVE SUMMARY: The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6834 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-6835 CVE STATUS: Patched CVE SUMMARY: The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6835 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-6836 CVE STATUS: Patched CVE SUMMARY: The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6836 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-6888 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU process crash) via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6888 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-7116 CVE STATUS: Patched CVE SUMMARY: Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7116 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-7155 CVE STATUS: Patched CVE SUMMARY: hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7155 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-7156 CVE STATUS: Patched CVE SUMMARY: The pvscsi_convert_sglist function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging an incorrect cast. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7156 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-7157 CVE STATUS: Patched CVE SUMMARY: The (1) mptsas_config_manufacturing_1 and (2) mptsas_config_ioc_0 functions in hw/scsi/mptconfig.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via vectors involving MPTSAS_CONFIG_PACK. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7157 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-7161 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet. CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7161 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-7170 CVE STATUS: Patched CVE SUMMARY: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7170 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-7421 CVE STATUS: Patched CVE SUMMARY: The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7421 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-7422 CVE STATUS: Patched CVE SUMMARY: The virtqueue_map_desc function in hw/virtio/virtio.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via a large I/O descriptor buffer length value. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7422 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-7423 CVE STATUS: Patched CVE SUMMARY: The mptsas_process_scsi_io_request function in QEMU (aka Quick Emulator), when built with LSI SAS1068 Host Bus emulation support, allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors involving MPTSASRequest objects. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7423 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-7466 CVE STATUS: Patched CVE SUMMARY: Memory leak in the usb_xhci_exit function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator), when the xhci uses msix, allows local guest OS administrators to cause a denial of service (memory consumption and possibly QEMU process crash) by repeatedly unplugging a USB device. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7466 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-7907 CVE STATUS: Patched CVE SUMMARY: The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7907 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-7908 CVE STATUS: Patched CVE SUMMARY: The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7908 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-7909 CVE STATUS: Patched CVE SUMMARY: The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7909 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-7994 CVE STATUS: Patched CVE SUMMARY: Memory leak in the virtio_gpu_resource_create_2d function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_CREATE_2D commands. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7994 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-7995 CVE STATUS: Patched CVE SUMMARY: Memory leak in the ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via a large number of crafted buffer page select (PG) indexes. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-7995 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-8576 CVE STATUS: Patched CVE SUMMARY: The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8576 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-8577 CVE STATUS: Patched CVE SUMMARY: Memory leak in the v9fs_read function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors related to an I/O read operation. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8577 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-8578 CVE STATUS: Patched CVE SUMMARY: The v9fs_iov_vunmarshal function in fsdev/9p-iov-marshal.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) by sending an empty string parameter to a 9P operation. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8578 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-8667 CVE STATUS: Patched CVE SUMMARY: The rc4030_write function in hw/dma/rc4030.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8667 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-8668 CVE STATUS: Patched CVE SUMMARY: The rocker_io_writel function in hw/net/rocker/rocker.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging failure to limit DMA buffer size. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8668 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-8669 CVE STATUS: Patched CVE SUMMARY: The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8669 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-8909 CVE STATUS: Patched CVE SUMMARY: The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8909 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-8910 CVE STATUS: Patched CVE SUMMARY: The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-8910 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9101 CVE STATUS: Patched CVE SUMMARY: Memory leak in hw/net/eepro100.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by repeatedly unplugging an i8255x (PRO100) NIC device. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9101 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9102 CVE STATUS: Patched CVE SUMMARY: Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9102 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9103 CVE STATUS: Patched CVE SUMMARY: The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9103 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9104 CVE STATUS: Patched CVE SUMMARY: Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which triggers an out-of-bounds access. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9104 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9105 CVE STATUS: Patched CVE SUMMARY: Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9105 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9106 CVE STATUS: Patched CVE SUMMARY: Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9106 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9381 CVE STATUS: Patched CVE SUMMARY: Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9381 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9602 CVE STATUS: Patched CVE SUMMARY: Qemu before version 2.9 is vulnerable to an improper link following when built with the VirtFS. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 8.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9602 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9603 CVE STATUS: Patched CVE SUMMARY: A heap buffer overflow flaw was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support before 2.9; the issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. A privileged user/process inside a guest could use this flaw to crash the QEMU process or, potentially, execute arbitrary code on the host with privileges of the QEMU process. CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 9.9 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9603 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9776 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9776 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9845 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9845 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9846 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while updating the cursor data in update_cursor_data_virgl. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9846 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9907 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (Qemu) built with the USB redirector usb-guest support is vulnerable to a memory leakage flaw. It could occur while destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9907 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9908 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET' command. A guest user/process could use this flaw to leak contents of the host memory bytes. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9908 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9911 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (Qemu) built with the USB EHCI Emulation support is vulnerable to a memory leakage issue. It could occur while processing packet data in 'ehci_init_transfer'. A guest user/process could use this issue to leak host memory, resulting in DoS for a host. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9911 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9912 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (Qemu) built with the Virtio GPU Device emulator support is vulnerable to a memory leakage issue. It could occur while destroying gpu resource object in 'virtio_gpu_resource_destroy'. A guest user/process could use this flaw to leak host memory bytes, resulting in DoS for a host. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9912 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9913 CVE STATUS: Patched CVE SUMMARY: Memory leak in the v9fs_device_unrealize_common function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) via vectors involving the order of resource cleanup. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9913 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9914 CVE STATUS: Patched CVE SUMMARY: Memory leak in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in FileOperations. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9914 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9915 CVE STATUS: Patched CVE SUMMARY: Memory leak in hw/9pfs/9p-handle.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the handle backend. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9915 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9916 CVE STATUS: Patched CVE SUMMARY: Memory leak in hw/9pfs/9p-proxy.c in QEMU (aka Quick Emulator) allows local privileged guest OS users to cause a denial of service (host memory consumption and possibly QEMU process crash) by leveraging a missing cleanup operation in the proxy backend. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9916 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9921 CVE STATUS: Patched CVE SUMMARY: Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9921 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9922 CVE STATUS: Patched CVE SUMMARY: The cirrus_do_copy function in hw/display/cirrus_vga.c in QEMU (aka Quick Emulator), when cirrus graphics mode is VGA, allows local guest OS privileged users to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving blit pitch values. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9922 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2016-9923 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (Qemu) built with the 'chardev' backend support is vulnerable to a use after free issue. It could occur while hotplug and unplugging the device in the guest. A guest user/process could use this flaw to crash a Qemu process on the host resulting in DoS. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-9923 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-10664 CVE STATUS: Patched CVE SUMMARY: qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10664 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-10806 CVE STATUS: Patched CVE SUMMARY: Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-10806 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-11334 CVE STATUS: Patched CVE SUMMARY: The address_space_write_continue function in exec.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11334 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-11434 CVE STATUS: Patched CVE SUMMARY: The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (out-of-bounds read and QEMU process crash) via a crafted DHCP options string. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-11434 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-12809 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator), when built with the IDE disk and CD/DVD-ROM Emulator support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-12809 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-13672 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13672 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-13673 CVE STATUS: Patched CVE SUMMARY: The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty function. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13673 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-13711 CVE STATUS: Patched CVE SUMMARY: Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-13711 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-14167 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-14167 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-15038 CVE STATUS: Patched CVE SUMMARY: Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.6 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15038 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-15118 CVE STATUS: Patched CVE SUMMARY: A stack-based buffer overflow vulnerability was found in NBD server implementation in qemu before 2.11 allowing a client to request an export name of size up to 4096 bytes, which in fact should be limited to 256 bytes, causing an out-of-bounds stack write in the qemu process. If NBD server requires TLS, the attacker cannot trigger the buffer overflow without first successfully negotiating TLS. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15118 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-15119 CVE STATUS: Patched CVE SUMMARY: The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of service issue. It could occur if a client sent large option requests, making the server waste CPU time on reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other requests, resulting in DoS. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 8.6 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15119 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-15124 CVE STATUS: Patched CVE SUMMARY: VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15124 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-15268 CVE STATUS: Patched CVE SUMMARY: Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15268 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-15289 CVE STATUS: Patched CVE SUMMARY: The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-15289 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-16845 CVE STATUS: Patched CVE SUMMARY: hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-of-bounds access. CVSS v2 BASE SCORE: 6.4 CVSS v3 BASE SCORE: 10.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-16845 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-17381 CVE STATUS: Patched CVE SUMMARY: The Virtio Vring implementation in QEMU allows local OS guest users to cause a denial of service (divide-by-zero error and QEMU process crash) by unsetting vring alignment while updating Virtio rings. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-17381 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-18030 CVE STATUS: Patched CVE SUMMARY: The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related to negative pitch. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18030 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-18043 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allows a user to cause a denial of service (Qemu process crash). CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-18043 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-2615 CVE STATUS: Patched CVE SUMMARY: Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 9.1 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2615 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-2620 CVE STATUS: Patched CVE SUMMARY: Quick emulator (QEMU) before 2.8 built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. CVSS v2 BASE SCORE: 9.0 CVSS v3 BASE SCORE: 9.9 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2620 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-2630 CVE STATUS: Patched CVE SUMMARY: A stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 built with the Network Block Device (NBD) client support. The flaw could occur while processing server's response to a 'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process. CVSS v2 BASE SCORE: 6.5 CVSS v3 BASE SCORE: 8.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2630 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-2633 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1.7.2 in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the 'vnc_refresh_server_surface'. A user inside a guest could use this flaw to crash the QEMU process. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-2633 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-5525 CVE STATUS: Patched CVE SUMMARY: Memory leak in hw/audio/ac97.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5525 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-5526 CVE STATUS: Patched CVE SUMMARY: Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5526 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-5552 CVE STATUS: Patched CVE SUMMARY: Memory leak in the virgl_resource_attach_backing function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5552 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-5578 CVE STATUS: Patched CVE SUMMARY: Memory leak in the virtio_gpu_resource_attach_backing function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_ATTACH_BACKING commands. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5578 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-5579 CVE STATUS: Patched CVE SUMMARY: Memory leak in the serial_exit_core function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5579 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-5667 CVE STATUS: Patched CVE SUMMARY: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds heap access and crash) or execute arbitrary code on the QEMU host via vectors involving the data transfer length. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5667 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-5856 CVE STATUS: Patched CVE SUMMARY: Memory leak in the megasas_handle_dcmd function in hw/scsi/megasas.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) via MegaRAID Firmware Interface (MFI) commands with the sglist size set to a value over 2 Gb. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5856 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-5857 CVE STATUS: Patched CVE SUMMARY: Memory leak in the virgl_cmd_resource_unref function in hw/display/virtio-gpu-3d.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (host memory consumption) via a large number of VIRTIO_GPU_CMD_RESOURCE_UNREF commands sent without detaching the backing storage beforehand. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5857 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-5898 CVE STATUS: Patched CVE SUMMARY: Integer overflow in the emulated_apdu_from_guest function in usb/dev-smartcard-reader.c in Quick Emulator (Qemu), when built with the CCID Card device emulator support, allows local users to cause a denial of service (application crash) via a large Application Protocol Data Units (APDU) unit. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5898 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-5931 CVE STATUS: Patched CVE SUMMARY: Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based buffer overflow. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5931 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-5973 CVE STATUS: Patched CVE SUMMARY: The xhci_kick_epctx function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors related to control transfer descriptor sequence. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5973 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-5987 CVE STATUS: Patched CVE SUMMARY: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-5987 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-6058 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in NetRxPkt::ehdr_buf in hw/net/net_rx_pkt.c in QEMU (aka Quick Emulator), when the VLANSTRIP feature is enabled on the vmxnet3 device, allows remote attackers to cause a denial of service (out-of-bounds access and QEMU process crash) via vectors related to VLAN stripping. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6058 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-6505 CVE STATUS: Patched CVE SUMMARY: The ohci_service_ed_list function in hw/usb/hcd-ohci.c in QEMU (aka Quick Emulator) before 2.9.0 allows local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors, a different vulnerability than CVE-2017-9330. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-6505 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-7377 CVE STATUS: Patched CVE SUMMARY: The (1) v9fs_create and (2) v9fs_lcreate functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7377 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-7471 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System (9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. CVSS v2 BASE SCORE: 7.7 CVSS v3 BASE SCORE: 9.0 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7471 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-7493 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7493 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-7539 CVE STATUS: Patched CVE SUMMARY: An assertion-failure flaw was found in Qemu before 2.10.1, in the Network Block Device (NBD) server's initial connection negotiation, where the I/O coroutine was undefined. This could crash the qemu-nbd server if a client sent unexpected data during connection negotiation. A remote user or process could use this flaw to crash the qemu-nbd server resulting in denial of service. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7539 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-7718 CVE STATUS: Patched CVE SUMMARY: hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7718 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-7980 CVE STATUS: Patched CVE SUMMARY: Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display after a VGA operation. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-7980 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-8086 CVE STATUS: Patched CVE SUMMARY: Memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8086 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-8112 CVE STATUS: Patched CVE SUMMARY: hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8112 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-8284 CVE STATUS: Patched CVE SUMMARY: The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail. NOTE: the vendor has stated "this bug does not violate any security guarantees QEMU makes. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8284 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-8309 CVE STATUS: Patched CVE SUMMARY: Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture. CVSS v2 BASE SCORE: 7.8 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8309 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-8379 CVE STATUS: Patched CVE SUMMARY: Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8379 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-8380 CVE STATUS: Patched CVE SUMMARY: Buffer overflow in the "megasas_mmio_write" function in Qemu 2.9.0 allows remote attackers to have unspecified impact via unknown vectors. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-8380 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-9060 CVE STATUS: Patched CVE SUMMARY: Memory leak in the virtio_gpu_set_scanout function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (memory consumption) via a large number of "VIRTIO_GPU_CMD_SET_SCANOUT:" commands. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9060 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-9310 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator), when built with the e1000e NIC emulation support, allows local guest OS privileged users to cause a denial of service (infinite loop) via vectors related to setting the initial receive / transmit descriptor head (TDH/RDH) outside the allocated descriptor buffer. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.6 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9310 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-9330 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator) before 2.9.0, when built with the USB OHCI Emulation support, allows local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value, a different vulnerability than CVE-2017-6505. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.6 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9330 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-9373 CVE STATUS: Patched CVE SUMMARY: Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9373 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-9374 CVE STATUS: Patched CVE SUMMARY: Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the device. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9374 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-9375 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator), when built with USB xHCI controller emulator support, allows local guest OS privileged users to cause a denial of service (infinite recursive call) via vectors involving control transfer descriptors sequencing. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9375 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-9503 CVE STATUS: Patched CVE SUMMARY: QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9503 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2017-9524 CVE STATUS: Patched CVE SUMMARY: The qemu-nbd server in QEMU (aka Quick Emulator), when built with the Network Block Device (NBD) Server support, allows remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs before talking to a client in the nbd_negotiate function. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2017-9524 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-10839 CVE STATUS: Patched CVE SUMMARY: Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-10839 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-11806 CVE STATUS: Patched CVE SUMMARY: m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. CVSS v2 BASE SCORE: 7.2 CVSS v3 BASE SCORE: 8.2 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-11806 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-12617 CVE STATUS: Patched CVE SUMMARY: qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-12617 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-15746 CVE STATUS: Patched CVE SUMMARY: qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-15746 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-16847 CVE STATUS: Patched CVE SUMMARY: An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16847 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-16867 CVE STATUS: Patched CVE SUMMARY: A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS scenario OR possibly lead to code execution on the host. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 7.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16867 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-16872 CVE STATUS: Patched CVE SUMMARY: A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS. CVSS v2 BASE SCORE: 3.5 CVSS v3 BASE SCORE: 5.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-16872 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-17958 CVE STATUS: Patched CVE SUMMARY: Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17958 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-17962 CVE STATUS: Patched CVE SUMMARY: Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17962 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-17963 CVE STATUS: Patched CVE SUMMARY: qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-17963 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-18438 CVE STATUS: Ignored CVE DETAIL: disputed CVE DESCRIPTION: The issues identified by this CVE were determined to not constitute a vulnerability. CVE SUMMARY: Qemu has integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18438 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-18849 CVE STATUS: Patched CVE SUMMARY: In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid msg_len value. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18849 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-18954 CVE STATUS: Patched CVE SUMMARY: The pnv_lpc_do_eccb function in hw/ppc/pnv_lpc.c in Qemu before 3.1 allows out-of-bounds write or read access to PowerNV memory. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-18954 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-19364 CVE STATUS: Patched CVE SUMMARY: hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second thread, leading to (for example) a use-after-free outcome. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19364 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-19489 CVE STATUS: Patched CVE SUMMARY: v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service (crash) because of a race condition during file renaming. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 4.7 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19489 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-19665 CVE STATUS: Patched CVE SUMMARY: The Bluetooth subsystem in QEMU mishandles negative values for length variables, leading to memory corruption. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 5.7 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-19665 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-20123 CVE STATUS: Patched CVE SUMMARY: pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20123 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-20124 CVE STATUS: Patched CVE SUMMARY: hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20124 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-20125 CVE STATUS: Patched CVE SUMMARY: hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20125 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-20126 CVE STATUS: Patched CVE SUMMARY: hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20126 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-20191 CVE STATUS: Patched CVE SUMMARY: hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20191 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-20216 CVE STATUS: Patched CVE SUMMARY: QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and -1 is mishandled). CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20216 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-20815 CVE STATUS: Patched CVE SUMMARY: In QEMU 3.1.0, load_device_tree in device_tree.c calls the deprecated load_image function, which has a buffer overflow risk. CVSS v2 BASE SCORE: 7.5 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-20815 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-5683 CVE STATUS: Patched CVE SUMMARY: The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-5683 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-7550 CVE STATUS: Patched CVE SUMMARY: The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7550 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2018-7858 CVE STATUS: Patched CVE SUMMARY: Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by leveraging incorrect region calculation when updating VGA display. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2018-7858 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-12067 CVE STATUS: Unpatched CVE SUMMARY: The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12067 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-12068 CVE STATUS: Patched CVE SUMMARY: In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12068 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-12155 CVE STATUS: Patched CVE SUMMARY: interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12155 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-12247 CVE STATUS: Patched CVE SUMMARY: QEMU 3.0.0 has an Integer Overflow because the qga/commands*.c files do not check the length of the argument list or the number of environment variables. NOTE: This has been disputed as not exploitable CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12247 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-12928 CVE STATUS: Patched CVE SUMMARY: The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12928 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-12929 CVE STATUS: Patched CVE SUMMARY: The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue CVSS v2 BASE SCORE: 10.0 CVSS v3 BASE SCORE: 9.8 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-12929 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-13164 CVE STATUS: Patched CVE SUMMARY: qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-13164 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-15034 CVE STATUS: Patched CVE SUMMARY: hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 5.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15034 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-15890 CVE STATUS: Patched CVE SUMMARY: libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-15890 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-20175 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in ide_dma_cb() in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest system can crash the QEMU process in the host system via a special SCSI_IOCTL_SEND_COMMAND. It hits an assertion that implies that the size of successful DMA transfers there must be a multiple of 512 (the size of a sector). NOTE: a member of the QEMU security team disputes the significance of this issue because a "privileged guest user has many ways to cause similar DoS effect, without triggering this assert. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20175 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-20382 CVE STATUS: Patched CVE SUMMARY: QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd. CVSS v2 BASE SCORE: 2.7 CVSS v3 BASE SCORE: 3.5 VECTOR: ADJACENT_NETWORK VECTORSTRING: AV:A/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20382 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-20808 CVE STATUS: Patched CVE SUMMARY: In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-20808 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-3812 CVE STATUS: Patched CVE SUMMARY: QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-3812 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-5008 CVE STATUS: Patched CVE SUMMARY: hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-5008 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-6501 CVE STATUS: Patched CVE SUMMARY: In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6501 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-6778 CVE STATUS: Patched CVE SUMMARY: In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6778 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-8934 CVE STATUS: Patched CVE SUMMARY: hw/ppc/spapr.c in QEMU through 3.1.0 allows Information Exposure because the hypervisor shares the /proc/device-tree/system-id and /proc/device-tree/model system attributes with a guest. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-8934 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2019-9824 CVE STATUS: Patched CVE SUMMARY: tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-9824 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-10702 CVE STATUS: Patched CVE SUMMARY: A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10702 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-10717 CVE STATUS: Patched CVE SUMMARY: A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. Virtio-fs is meant to share a host file system directory with a guest via virtio-fs device. If the guest opens the maximum number of file descriptors under the shared directory, a denial of service may occur. This flaw allows a guest user/process to cause this denial of service on the host. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10717 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-10761 CVE STATUS: Patched CVE SUMMARY: An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a denial of service. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 5.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-10761 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-11102 CVE STATUS: Patched CVE SUMMARY: hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.6 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11102 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-11869 CVE STATUS: Patched CVE SUMMARY: An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11869 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-11947 CVE STATUS: Patched CVE SUMMARY: iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-11947 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-12829 CVE STATUS: Patched CVE SUMMARY: In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-12829 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-13253 CVE STATUS: Patched CVE SUMMARY: sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13253 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-13361 CVE STATUS: Patched CVE SUMMARY: In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 3.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13361 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-13362 CVE STATUS: Patched CVE SUMMARY: In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13362 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-13659 CVE STATUS: Patched CVE SUMMARY: address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer. CVSS v2 BASE SCORE: 1.9 CVSS v3 BASE SCORE: 2.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13659 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-13754 CVE STATUS: Patched CVE SUMMARY: hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.7 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13754 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-13765 CVE STATUS: Patched CVE SUMMARY: rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.6 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13765 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-13791 CVE STATUS: Patched CVE SUMMARY: hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13791 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-13800 CVE STATUS: Patched CVE SUMMARY: ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-13800 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-14364 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 5.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14364 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-14394 CVE STATUS: Patched CVE SUMMARY: An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 3.2 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14394 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-14415 CVE STATUS: Patched CVE SUMMARY: oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-14415 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-15469 CVE STATUS: Patched CVE SUMMARY: In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 2.3 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15469 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-15859 CVE STATUS: Patched CVE SUMMARY: QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15859 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-15863 CVE STATUS: Patched CVE SUMMARY: hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 5.3 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-15863 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-16092 CVE STATUS: Patched CVE SUMMARY: In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-16092 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-1711 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host. CVSS v2 BASE SCORE: 6.0 CVSS v3 BASE SCORE: 6.0 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-1711 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-17380 CVE STATUS: Patched CVE SUMMARY: A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.3 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-17380 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-24165 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary code, escalate privileges, and cause a denial of service (DoS). Note: This is disputed as a bug and not a valid security issue by multiple third parties. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.8 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24165 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-24352 CVE STATUS: Patched CVE SUMMARY: An issue was discovered in QEMU through 5.1.0. An out-of-bounds memory access was found in the ATI VGA device implementation. This flaw occurs in the ati_2d_blt() routine in hw/display/ati_2d.c while handling MMIO write operations through the ati_mm_write() callback. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-24352 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-25084 CVE STATUS: Patched CVE SUMMARY: QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25084 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-25085 CVE STATUS: Patched CVE SUMMARY: QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 5.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25085 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-25624 CVE STATUS: Patched CVE SUMMARY: hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver. CVSS v2 BASE SCORE: 4.4 CVSS v3 BASE SCORE: 5.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25624 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-25625 CVE STATUS: Patched CVE SUMMARY: hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. CVSS v2 BASE SCORE: 4.7 CVSS v3 BASE SCORE: 5.3 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25625 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-25723 CVE STATUS: Patched CVE SUMMARY: A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25723 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-25741 CVE STATUS: Patched CVE SUMMARY: fdctrl_write_data in hw/block/fdc.c in QEMU 5.0.0 has a NULL pointer dereference via a NULL block pointer for the current drive. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25741 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-25742 CVE STATUS: Patched CVE SUMMARY: pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25742 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-25743 CVE STATUS: Patched CVE SUMMARY: hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-25743 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-27616 CVE STATUS: Patched CVE SUMMARY: ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27616 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-27617 CVE STATUS: Patched CVE SUMMARY: eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. CVSS v2 BASE SCORE: 4.0 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:S/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27617 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-27661 CVE STATUS: Patched CVE SUMMARY: A divide-by-zero issue was found in dwc2_handle_packet in hw/usb/hcd-dwc2.c in the hcd-dwc2 USB host controller emulation of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27661 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-27821 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the memory management API of QEMU during the initialization of a memory region cache. This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-27821 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-28916 CVE STATUS: Patched CVE SUMMARY: hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-28916 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-29443 CVE STATUS: Patched CVE SUMMARY: ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. CVSS v2 BASE SCORE: 3.3 CVSS v3 BASE SCORE: 3.9 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-29443 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-35503 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35503 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-35504 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35504 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-35505 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35505 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-35506 CVE STATUS: Patched CVE SUMMARY: A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 6.7 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35506 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-35517 CVE STATUS: Patched CVE SUMMARY: A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.2 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-35517 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-7039 CVE STATUS: Patched CVE SUMMARY: tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code. CVSS v2 BASE SCORE: 6.8 CVSS v3 BASE SCORE: 5.6 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7039 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2020-7211 CVE STATUS: Patched CVE SUMMARY: tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2020-7211 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-20181 CVE STATUS: Patched CVE SUMMARY: A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20181 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-20196 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20196 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-20203 CVE STATUS: Patched CVE SUMMARY: An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20203 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-20221 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20221 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-20255 CVE STATUS: Unpatched CVE SUMMARY: A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20255 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-20257 CVE STATUS: Patched CVE SUMMARY: An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20257 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-20263 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.3 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:P/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20263 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-20295 CVE STATUS: Patched CVE SUMMARY: It was discovered that the update for the virt:rhel module in the RHSA-2020:4676 (https://access.redhat.com/errata/RHSA-2020:4676) erratum released as part of Red Hat Enterprise Linux 8.3 failed to include the fix for the qemu-kvm component issue CVE-2020-10756, which was previously corrected in virt:rhel/qemu-kvm via erratum RHSA-2020:4059 (https://access.redhat.com/errata/RHSA-2020:4059). CVE-2021-20295 was assigned to that Red Hat specific security regression. For more details about the original security issue CVE-2020-10756, refer to bug 1835986 or the CVE page: https://access.redhat.com/security/cve/CVE-2020-10756. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-20295 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3392 CVE STATUS: Patched CVE SUMMARY: A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3392 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3409 CVE STATUS: Patched CVE SUMMARY: The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 5.7 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3409 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3416 CVE STATUS: Patched CVE SUMMARY: A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3416 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3507 CVE STATUS: Patched CVE SUMMARY: A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory. CVSS v2 BASE SCORE: 3.6 CVSS v3 BASE SCORE: 6.1 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3507 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3527 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3527 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3544 CVE STATUS: Patched CVE SUMMARY: Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3544 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3545 CVE STATUS: Patched CVE SUMMARY: An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3545 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3546 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.2 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3546 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3582 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_CMD_CREATE_MR" command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3582 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3607 CVE STATUS: Patched CVE SUMMARY: An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3607 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3608 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3608 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3611 CVE STATUS: Patched CVE SUMMARY: A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU versions prior to 7.0.0. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3611 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3638 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3638 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3682 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. CVSS v2 BASE SCORE: 6.0 CVSS v3 BASE SCORE: 8.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:M/Au:S/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3682 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3713 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 7.4 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3713 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3735 CVE STATUS: Patched CVE SUMMARY: A deadlock issue was found in the AHCI controller device of QEMU. It occurs on a software reset (ahci_reset_port) while handling a host-to-device Register FIS (Frame Information Structure) packet from the guest. A privileged user inside the guest could use this flaw to hang the QEMU process on the host, resulting in a denial of service condition. The highest threat from this vulnerability is to system availability. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3735 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3748 CVE STATUS: Patched CVE SUMMARY: A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. CVSS v2 BASE SCORE: 6.9 CVSS v3 BASE SCORE: 7.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:M/Au:N/C:C/I:C/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3748 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3750 CVE STATUS: Patched CVE SUMMARY: A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.2 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3750 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3929 CVE STATUS: Patched CVE SUMMARY: A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.2 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3929 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3930 CVE STATUS: Patched CVE SUMMARY: An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3930 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-3947 CVE STATUS: Patched CVE SUMMARY: A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-3947 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-4145 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node. CVSS v2 BASE SCORE: 4.9 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4145 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-4158 CVE STATUS: Patched CVE SUMMARY: A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4158 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-4206 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.2 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4206 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2021-4207 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.2 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2021-4207 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2022-0216 CVE STATUS: Patched CVE SUMMARY: A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 4.4 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0216 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2022-0358 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-0358 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2022-1050 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition. CVSS v2 BASE SCORE: 4.6 CVSS v3 BASE SCORE: 8.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-1050 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2022-26353 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and other unexpected results. Affected QEMU version: 6.2.0. CVSS v2 BASE SCORE: 5.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: AV:N/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26353 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2022-26354 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results. Affected QEMU versions <= 6.2.0. CVSS v2 BASE SCORE: 2.1 CVSS v3 BASE SCORE: 3.2 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:N/I:N/A:P MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-26354 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2022-2962 CVE STATUS: Patched CVE SUMMARY: A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-2962 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2022-3165 CVE STATUS: Patched CVE SUMMARY: An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3165 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2022-35414 CVE STATUS: Patched CVE SUMMARY: softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-virtualization Use Case in the qemu.org reference applies here, i.e., "Bugs affecting the non-virtualization use case are not considered security bugs at this time. CVSS v2 BASE SCORE: 6.1 CVSS v3 BASE SCORE: 8.8 VECTOR: LOCAL VECTORSTRING: AV:L/AC:L/Au:N/C:P/I:P/A:C MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-35414 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2022-36648 CVE STATUS: Patched CVE SUMMARY: The hardware emulation in the of_dpa_cmd_add_l2_flood of rocker device model in QEMU, as used in 7.0.0 and earlier, allows remote attackers to crash the host qemu and potentially execute code on the host via execute a malformed program in the guest OS. Note: This has been disputed by multiple third parties as not a valid vulnerability due to the rocker device not falling within the virtualization use case. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 10.0 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-36648 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2022-3872 CVE STATUS: Patched CVE SUMMARY: An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count == block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.6 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-3872 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2022-4144 CVE STATUS: Patched CVE SUMMARY: An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4144 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2022-4172 CVE STATUS: Patched CVE SUMMARY: An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2022-4172 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-0330 CVE STATUS: Patched CVE SUMMARY: A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0330 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-0664 CVE STATUS: Ignored CVE DETAIL: not-applicable-platform CVE DESCRIPTION: Issue only applies on Windows CVE SUMMARY: A flaw was found in the QEMU Guest Agent service for Windows. A local unprivileged user may be able to manipulate the QEMU Guest Agent's Windows installer via repair custom actions to elevate their privileges on the system. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-0664 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-1386 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. When a local user in the guest writes an executable file with SUID or SGID, none of these privileged bits are correctly dropped. As a result, in rare circumstances, this flaw could be used by malicious users in the guest to elevate their privileges within the guest and help a host local user to elevate privileges on the host. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.8 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1386 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-1544 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.3 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-1544 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-2680 CVE STATUS: Ignored CVE DETAIL: not-applicable-platform CVE DESCRIPTION: RHEL specific issue. CVE SUMMARY: This CVE exists because of an incomplete fix for CVE-2021-3750. More specifically, the qemu-kvm package as released for Red Hat Enterprise Linux 9.1 via RHSA-2022:7967 included a version of qemu-kvm that was actually missing the fix for CVE-2021-3750. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 8.2 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2680 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-2861 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.1 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-2861 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-3019 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: Applies only against versions before 8.2.0 CVE SUMMARY: A DMA reentrancy issue leading to a use-after-free error was found in the e1000e NIC emulation code in QEMU. This issue could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3019 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-3180 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3180 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-3255 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3255 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-3301 CVE STATUS: Patched CVE SUMMARY: A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.6 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3301 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-3354 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.5 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-3354 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-40360 CVE STATUS: Patched CVE SUMMARY: QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no check for whether an endurance group is configured before checking whether Flexible Data Placement is enabled. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-40360 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-4135 CVE STATUS: Patched CVE SUMMARY: A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-4135 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-42467 CVE STATUS: Patched CVE SUMMARY: QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-42467 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-5088 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: Applies only against version 8.2.0 and earlier CVE SUMMARY: A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 7.0 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-5088 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-6683 CVE STATUS: Patched CVE SUMMARY: A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.5 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6683 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2023-6693 CVE STATUS: Ignored CVE DETAIL: cpe-incorrect CVE DESCRIPTION: Applies only against version 8.2.0 and earlier CVE SUMMARY: A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.3 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2023-6693 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2024-3567 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in QEMU. An assertion failure was present in the update_sctp_checksum() function in hw/net/net_tx_pkt.c when trying to calculate the checksum of a short-sized fragmented packet. This flaw allows a malicious guest to crash QEMU and cause a denial of service condition. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 5.5 VECTOR: LOCAL VECTORSTRING: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-3567 LAYER: meta PACKAGE NAME: nativesdk-qemu PACKAGE VERSION: 8.2.1 CVE: CVE-2024-6505 CVE STATUS: Unpatched CVE SUMMARY: A flaw was found in the virtio-net device in QEMU. When enabling the RSS feature on the virtio-net network card, the indirections_table data within RSS becomes controllable. Setting excessively large values may cause an index out-of-bounds issue, potentially resulting in heap overflow access. This flaw allows a privileged user in the guest to crash the QEMU process on the host. CVSS v2 BASE SCORE: 0.0 CVSS v3 BASE SCORE: 6.8 VECTOR: NETWORK VECTORSTRING: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2024-6505